The Weakest Link in Healthcare Data Security

By chrischristy - October 4, 2018

We live in a world with amazingly effective cybersecurity, so bad actors must seek the weakest link when working around technological defenses.

Using technology to implement or enhance cybersecurity is an obvious part of any organizational security policy, but even the most robust security solutions can be compromised by simple human error — and that’s what cybercriminals hope to exploit.

Tools have become largely automated, reducing the dependency on human intervention to ensure effectiveness and minimize the chances of error, but limiting or removing the role people play can actually make them underestimate their role in cybersecurity. Reducing the attack surface is great, but when people become the most vulnerable point of attack, it becomes truly important that they understand what is at risk.

The target and the threat

Movies and television have given us a mythological view of hacking. Compromising security to access valuable data doesn’t require fast typing, cloak and dagger operations, sardonic wit or even a hoodie. In fact, it’s quite the opposite when it comes to social engineering.

We’ve all come to expect threats via spoofed emails, questionable websites and phishing attacks, so our guard might be down if we get a friendly caller who just can’t remember their PIN or wants to know a random bit of seemingly innocuous information.

Focusing purely on cybersecurity can lead to overlooking analog threats to data.

Maybe you found a USB drive, and you want to see what’s on it. It wouldn’t be the first time someone fell victim to USB baiting. And with the increasing availability of public USB ports, you should even be wary of public charging ports. Too casual with your cyber hygiene and you could be joining the Department of Health and Human Services’ Office of Civil Rights HIPAA Violators Wall of Shame.

The consequences of a breach

Criminals are looking for data to sell; that’s the valuable asset. It can be used for identity theft, fraudulent billing and other commercial activity, filing fake tax returns and pocketing the refunds — the applications are too many to list. And the impact of an attack is magnified with medical information. In the case of a ransomware attack, there is the direct cost of ransom monies paid, but there are other measurable and immeasurable costs associated with an attack.

System outages can result in lost revenue and, depending on the nature of your business, can also include penalties from SLA breaches. Losing credibility and customer faith are major intangible costs, leading to customers’ leaving and potential customers avoiding your business from the start. Not only would you lose revenue, but you’d likely have to invest in public relations efforts to repair your public image.

In some cases, the consequences involve both money and reputation. The most recent example of this would be the settlements reached between the HHS Office of Civil Rights and Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital. ABC Television was filming part of their series “Boston Med” at those locations, and they casually portrayed patients and their families during the shoot. As a result, the three organizations were fined for not obtaining patient permission, and settlements were reached in September for about $1 million.

Then there was the case of a hospital employee who set up a side business selling medical records information. Not in my wildest dreams could I imagine a hospital staff member callously disregarding security measures, let alone that they would go as far as actively selling health care information.

An ounce of prevention

These outcomes could have been avoided with better training and orientation about the importance and patient privacy and the tactics used by attackers. I am convinced that few individuals in the healthcare value chain act maliciously to compromise patient information, but even an innocent mishap or lack of oversight can lead to terrible consequences.

With proper training, the risk presented by users can be minimized. Like most things, however, it takes a concerted and repeated effort to ensure that staff understands common security pitfalls and how even the most sophisticated systems are one click away from disaster.

A partner for security

Rackspace understands the importance of education in the fight against cyberthreats, which is why we created the “Win the Cyberwar” webinar series. Hear Rackspace security experts offer current and useful advice that can help you define your strategy to defend against incidents and minimize disruption.